You may be interested in a quick summary of the countries where the attacks come from. This document explains how to find these information.

+

You may be interested in a quick summary of the countries where the attacks come from. This document explains how to find these information.

== Requirements==

== Requirements==

Line 23:

Line 23:

== Script ==

== Script ==

−

This small script will extract the banned IPs from fail2ban.log. It looks for lines such as "..... Ban 192.168.1.1", extracts the IP and runs geoiplookup. You may have to change the hardcoded paths in the script <span class="plainlinks">[http://www.surgepromotions.com/74/custom-shot-glasses/ <span style="color:black;font-weight:normal; text-decoration:none!important; background:none!important; text-decoration:none;">custom shot glasses</span>] depending on your configuration.

+

This small script will extract the banned IPs from fail2ban.log. It looks for lines such as "..... Ban 192.168.1.1", extracts the IP and runs geoiplookup. You may have to change the hardcoded <span class="plainlinks">[http://thebeginnerslens.com/top-iphone-camera-apps-of-the-month <span style="color:black;font-weight:normal; text-decoration:none!important; background:none!important; text-decoration:none;">iphone camera apps</span>] paths in the script depending on your <span class="plainlinks">[http://xTiburon.com <span style="color:black;font-weight:normal; text-decoration:none!important; background:none!important; text-decoration:none;">business blog</span>] configuration.

+

+

<pre>

<pre>

Line 42:

Line 44:

</pre>

</pre>

−

There is a package of GeoIP bindings for Python available as well. The following script performs a similar function using those bindings, plus it works on Fedora and any other distro where fail2ban outputs by the <span class="plainlinks">[http://c-c.com.au/ <span style="color:black;font-weight:normal; text-decoration:none!important; background:none!important; text-decoration:none;">Brisbane Website Designers</span>] to syslog:

+

There is a package of GeoIP bindings for Python available as well. The following script performs a similar function using those bindings, plus it works on Fedora and any other distro where fail2ban outputs to syslog:

As the geoiplookup database will be pretty outdated (the current included version are from 20060501 in stable debian) you might want to update it regularly as IP assignment changes. One way of doing that is to use a crontab <span class="plainlinks">[http://www.mycaal.com/<span style="color:black;font-weight:normal; text-decoration:none!important;background:none!important; text-decoration:none;">loan modification</span>] entry that downloads the updated version from maxmind and untar's it to the correct position. I use something like this [http://www.autoinsurancequoteseasy.com/ <span style="color:black;font-weight:normal; text-decoration:none!important; background:none!important; text-decoration:none;">quote</span>]

+

As the geoiplookup database will be pretty outdated (the current included version are from 20060501 in stable debian) you might want to update it regularly as IP assignment changes. One way of doing that is to use a crontab

This will install "geoiplookup" and "geoipupdate" to update the database (you need a license id to get a new db)

In Debian or Ubuntu, one can simple do apt-get install geoip-bin

In Fedora, you can install with this command:

pkcon install GeoIP

Script

This small script will extract the banned IPs from fail2ban.log. It looks for lines such as "..... Ban 192.168.1.1", extracts the IP and runs geoiplookup. You may have to change the hardcoded iphone camera apps paths in the script depending on your business blog configuration.

There is a package of GeoIP bindings for Python available as well. The following script performs a similar function using those bindings, plus it works on Fedora and any other distro where fail2ban outputs to syslog:

Logging

You can also change the fail2ban script to write the country code to the log file whenever a ban occurs. Make sure you install geoiplookup, then edit the file /usr/share/fail2ban/server/actions.py and change line 31 to read

Other interesting links

Updated GeoIP database

As the geoiplookup database will be pretty outdated (the current included version are from 20060501 in stable debian) you might want to update it regularly as IP assignment changes. One way of doing that is to use a crontab

@montly = do it every month (duh)
root = as user root
sleep $[$RANDOM/1024]; = sleep for a random time (so all you guys don't DDoS maxminds server every month at the same time)
wget ... Teeth whitening | gunzip ... && ... = wget and pipe to gunzip, if that succeeds, move the file to the correct place